When a federated user or a conference is involved, the media is sent through TCP via the AVMCU on the edge server. So the issue seems to be with the outbound TCP 50000-59999 port range traversing the firewall.

The call fails with the following reason in the BYE:

Ms-client-diagnostics: 23; reason="Call failed to establish due to a media connectivity failure when one endpoint is internal and the other is remote"

TCP NAT connectivity failed
This flag is expected. If local-to-local connectivity succeeded, the TCP NAT connectivity check may not have been tried. Or there is no direct TCP connection possible.
TCP NAT connectivity failing may result in an ICE protocol failure.

Another clue pointing to the TCP media port range.

We also saw a lot of TCP retransmits when doing packet tracing, the edge server was not happy with the TCP connection when trying to set up the desktop sharing session.

What we realised fairly early was that all customers reporting this was running Palo Alto firewalls, which tries to look at what kind of application the traffic is in stead of the traditional just looking at port numbers.

After quite a bit of troubleshooting – everything was set up by the book, nothing seemed to be wrong other than the media failing – we were able to make a case with Palo Alto support, and it eventually turned out to be a bug in the Palo Alto software that doesn’t recognize the desktop sharing session as that, but tries to decrypt the session – even if no decryption is configured anywhere else on the firewall. The bug was as far as we can tell introduced in version 6.1.3, and has been reported fixed in an upcoming version 7.0.3. PAN support gave this workaround:

10 thoughts on “Desktop sharing issues with Palo Alto firewalls”

I had the same problem with Palo Alto as well for my edge connected users. We had to completely move way from the application based and use rules based. the app sharing was failing just like you mentioned. Good to know that Palo Alto is going to fix it. thanks for the additional info.

Hello, would you be willing to provide the Palo Alto ticket number so that I can provide it to the Support Engineer that we are working with? They have not been able to locate any information referencing the bug. We have had the workaround in place for sometime now and are still experiencing this issue.

Thanks so much. This article saved me. Been troubleshooting a Federation desktop sharing issue for weeks. Implemented your suggestion and voila! I had searched for such a solution on the PAN Community and I find nothing. Could you post this on the PAN Community site, or allow me to? It would make it SO much more accessible to others having the same problem.